Re: ipfirewall(4)) cannot be changed

From: Santos (sansan_at_cas.port995.com)
Date: 05/26/03

  • Next message: Giorgos Keramidas: "Re: ipfirewall(4)) cannot be changed"
    Date: Mon, 26 May 2003 05:18:24 +0100
    To: Giorgos Keramidas <keramida@ceid.upatras.gr>
    
    

    Giorgos Keramidas wrote:

    > On 2003-05-25 07:57, Santos wrote:
    >
    >>root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5
    >>
    >>3 Network secure mode - same as highly secure mode, plus IP packet
    >> filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
    >> dummynet(4) configuration cannot be adjusted.
    >>
    >>root@vigilante /root cuaa1# sysctl -a |grep secure
    >>kern.securelevel: 3
    >>[...]
    >>root@vigilante /root cuaa1# sysctl net.inet.ip.fw.enable=0
    >>net.inet.ip.fw.enable: 1 -> 0
    >>
    >>root@vigilante /root cuaa1# ping 216.136.204.21
    >>PING 216.136.204.21 (216.136.204.21): 56 data bytes
    >>64 bytes from 216.136.204.21: icmp_seq=0 ttl=50 time=338.878 ms
    >>^C
    >
    >
    > Try this patch. Unless of course, you're not using IPFW version 1,
    > in which case someone more knowledgeable will hopefully correct me :)
    >
    > <<<<<<<
    > Index: ip_fw.c
    > ===================================================================
    > RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
    > retrieving revision 1.192
    > diff -u -r1.192 ip_fw.c
    > --- sys/netinet/ip_fw.c 19 Feb 2003 05:47:33 -0000 1.192
    > +++ sys/netinet/ip_fw.c 25 May 2003 20:46:37 -0000
    > @@ -95,7 +95,7 @@
    >
    > #ifdef SYSCTL_NODE
    > SYSCTL_NODE(_net_inet_ip, OID_AUTO, fw, CTLFLAG_RW, 0, "Firewall");
    > -SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW,
    > +SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, enable, CTLFLAG_RW|CTLFLAG_SECURE3,
    > &fw_enable, 0, "Enable ipfw");
    > SYSCTL_INT(_net_inet_ip_fw, OID_AUTO,one_pass,CTLFLAG_RW,
    > &fw_one_pass, 0,
    >
    >
    > - Giorgos

    Sorry i missed a uname and a grep :)

    root@vigilante /root p1# uname -a
    FreeBSD vigilante.garden 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Tue May 20
    20:19:53 WEST 2003
    root@vigilante.garden:/usr/obj/usr/src/sys/VIGILANTE i386

    root@vigilante /root p1# grep -i ipfw /sys/i386/conf/VIGILANTE
    options IPFW2

    I hope this gets fixed, it defeats the purpose of secure levels, at
    least, of the 3 one. It would be nice to have a 4 level where sysctl
    variables couldn't be changed, but something tells me that isn't
    possible... some variables are dynamic, change all the time, no?

    Santos

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Giorgos Keramidas: "Re: ipfirewall(4)) cannot be changed"